This Blog is about many things Rainer is interested in. This happens to include syslog, astronomy and other fun things.

Monday, March 05, 2012

CEE-enhanced syslog defined

CEE-enhanced syslog is an upcoming standard for expressing structured data inside syslog messages. It is a cross-platform effort that aims at making log analysis (and log processing in general) much more easy both for log producers and consumers. The idea was originally born as part of MITRE's CEE effort. It has been adopted by a larger set of logging stakeholders in an initiative that was named "project lumberjack". Under this project, cee-enhanced syslog, and a framework to make full use of it, is being openly advanced. It is hoped (and planned) that the outcome will flow back to the CEE standard.

In a nutshell cee-enhanced syslog is very simple and powerful: inside the syslog message, a special
cookie ("@cee:") is followed by a JSON representation of the data. The cookie tells processors
that the format is actually cee-enhanced. If you are interested in a more
technical coverage, have a look at my cee-enhanced syslog howto presentation.

Adiscon is one of the main supporters of project lumberjack and CEE enhanced syslog. Since February 2012, Adiscon products offer basic support for cee-enhanced syslog, being among the first tools to do so.